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(54) TiUc: FRAUD MONITORING IN A TELECOMMUNICATIONS NETWORK 
(57) Abstract 

A method of and system for detecting the possible fraudulent 
use of a teleconununications network involves applying rule-based 
criteria to generate a plurality of fraud alarms, each corresponding to 
an individual rule. Each alarm is associated with a particular customer, 
and for each individual customer a note is made of the total alarms 
generated by that customer and the grouping of individual alarm types 
generated. The customer's call is then determined to be fraudulent 
or otherwise based upon prior experience of past customers who have 
generated that partictilar profile of alann grouping and total number of 
alarms. The system automatically outputs a list of potentially fraudulent 
customers, the accounts of which may eidier be further Investigated or 
may automatically be inhibited. 
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FRAUD MONITORING IN A TELECOMMUNICATIONS NETWORK 

The present invention relates a telecommunications network and more 
particularly to a method of, and a system for, detecting the possible fraudulent use 
5 of a telecommunications network. 

Rule-based fraud detection systems attempt to detect fraudulent usage by 
comparing details of individual calls over the telecommunications network with a 
series of one or more predefined rules. If a particular usage of the network (to be 
referred to throughout this specification as a "call record") triggers one or more of 
10 the predefined rules, an alarm is generated, enabling human operators to take the 
necessary action. While such systems have had some success in combating 
fraud, difficulties tend to arise due to the sheer number of alarms that can be 
generated within a short time. Typically, fraud detection operators may have tens 
of thousands of live alarms to deal with during a day, and it is therefore generally 
15 impractical to deal with each individual alarm as it arises. Methods have been 
developed for consolidating or grouping the fraud alarms based on their priority, 
but the workload for the fraud operators still remains substantial. 

Work has been done to provide correlated fault alarms for identifying 
possible faulty network devices and/or failure of communication links in 
20 telecommunication networks. However, the correlation process here relies very 
much upon the fact that the network topology is well known, with the alarms and 
the alarms correlations being calculated on that basis. 

It is an object of the present invention at least to alleviate these problems. 
It is a further object to provide a method of, and a system for, detecting the 
25 possible fraudulent use of a telecommunications network which can be used 
across a range of products and services. 

According to a first aspect of the present invention there is provided a 
method of detecting the possible fraudulent use of a telecommunications network, 
the method comprising: 

'3) receiving alarms indicative of potentially fraudulent calls on the 
network, the alarms being divided into a plurality of alarm types; 

Cb) associating a unique customer identifier with each alarm; 
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(c) selecting a test class of customer identifiers such that each 
customer identifier in the test class is associated with a given grouping of alarm 
types; 

id) identifying those customer identifiers within the test class that are 
5 associated with known fraudulent calls and deriving a measure therefrom indicative 
of fraud within the test class; and 

(e) determining that any customer identifier associated with further 
alarms is connected with fraudulent use of the network if it falls within the said 
test class and if the said measure for that class exceeds a given leveL 
10 According to a second aspect of the invention there is provided a system 

for detecting the possible fraudulent use of a telecommunications network, the 
system comprising: 

(a) means for receiving alarms indicative of potentially fraudulent calls 
on the network, the alarms being divided into a plurality of alarm types; 
1 5 (b) means for associating a unique customer identifier with each alarm; 

(c) means for selecting a test class of customer identifiers such that 
each customer identifier in the test class is associated with a given grouping of 
alarm types; 

(d) means for identifying those customer identifiers within the test class 
20 that are associated with known fraudulent calls and deriving a measure therefrom 

indicative of fraud within the test class; and 

(e) means for determining that any customer identifier associated with 
further alarms is connected with fraudulent use of the network if it falls within the 
said test class and if the said measure for that class exceeds a given level. 

25 By iterating the method, the system gradually learns and becomes more 

effective at identifying fraud. 

The invention discovers patterns in the alarm data, and operates on those, 
rather than operating on the rules that generate the alarms themselves. 
Preferably, the system attempts to detect fraudulent usage by measuring and 

30 comparing the parameters values of individual calls, over the telecommunications 
network, against pre-set thresholds within the detection rules. This allows for a 
reduced number of derived alarms to be created, thereby easing the task of the 
fraud operators. In contrast with known network fault alarm correlations, the 
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invention is not limited to use on any specific network or on any specific model. 
Instead, it identifies fraud trends by identifying patterns in particular groupings of 
raw alarms. The solution is applicable across all products and services. 

In one form, the invention may provide the fraud operators with a display 
5 identifying, in order, those groups of alarms which are most indicative of the 
presence of fraud and, against each group, a list of (normalized) customer 
identifiers whose calls have triggered alarms in that particular group. A numerical 
measure may be associated with each grouping, providing the fraud operators with 
a quantitative estimate of the probability that a particular customer identifier is 

1 0 associated with fraudulent calls. 

The system may automatically determine that certain alarm groupings are 
associated with fraud (for example If the measure exceeds a predefined value), and 
may automatically inhibit the user accounts corresponding to the user identifiers 
which fall within those groupings. Alternatively, the information may be provided 

15 to human operators, who may reserve to themselves the final decisions. 

It is not essential, of course, that the measure takes the form of a single 
numerical value. It could, instead, consist of several numerical or non-numerical 
indicators that may be tested against a predefined level. Again, the given level in 
that case need not itself be a single numerical value. It will be understood, of 

20 course, that if the measure increases with fraud, then it will exceed the given level 
in the upward-going direction when the measure is larger than the level. On the 
other hand, if the measure is designed to fail with increasing fraud, then it will 
exceed the given level in the downward-going direction when it falls to a value 
beiow that of the given level. 

25 In its various forms, the invention, or preferred aspects of it, may provide 

a very concise easily-understood presentation of alarm information to the fraud 
operator. It provides improved use of alarm data, along with the flexibility to add 
new alarm types and continuously to detect and learn new alarm types. It allows 
easier detection of fraud by the human operator, or alternatively may be arranged 

30 to detect fraud automatically. This may provide substantial revenue savings from 
the increased ability of the fraud detection systems, as a whole, to detect fraud at 
an early stage and to apply preventative measures. 
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4 

The invention may be carried into practice in a number of ways and one 
specific embodiment will now be described, by way of example, with reference to 
the accompanying figures, in which: 

Figure 1 shows how the system is trained and the alarms patterns are 
5 refined over time; and 

Figure 2 shows how the system is used on real data but continues to learn 
new patterns through performance evaluation. 

The fraud detection method and system shown in Figures 1 and 2 may 
typically be embodied in a computer program running on a dedicated server which 
10 is attached to the telecommunications network to be monitored. Depending on the 
sizd of the network, there may be a single server, or the system may be duplicated 
on several servers, spaced across the network. All or parts (modules) of the 
system could alternatively be hard-coded rather than being embodied by way of a 
computer program, especially the modules engaged in pure computation. The 
15 system is designed to receive information from external sources across the 
network, in the form of a plurality of fraud alarms Aj. These alarms are generated 
by testing each call that is made on the telecommunications network against a 
corresponding rule set, with the alarm being automatically activated if the call 
matches the requirements of the rule. The rules are preferably independent, or at 
20 least partially so, so that if for example a single call activates alarms Ai and A2, 
the existence of both alarms provides some additional evidence by way of cross- 
check that the call is indeed fraudulent, over and above the information that would 
be provided by one of the alarms alone. One rule might state, for example, that 
fraud is a possibility if the call is an international call being made from a public call 
25 box to a country known to be a supplier of illegal drugs. Another rule might 
suggest fraud if the call has been paid for by charge-card, and the call does not fit 
the call history on that particular account. A further rule might suggest that fraud 
is taking place if a low-usage charge-card customer suddenly starts making a long 
series of international telephone calls to different countries from a public 'phone 
30 box. 

Each alarm Ai may be associated with a particular customer Cj who is 
paying the bill for the call that generated that alarm. 
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For ease of description the preferred embodiment will be described with 
reference to Figures 1 and 2, and concurrently in association with a hypothetical 
worked example. The example will assume that alarms are generated by four 
different rules, giving rise to four separate alarm types A,, A2, A3 and A4. It will 
5 also be assumed that the network has nine customers, identified respectively as Ci 

to Cg. 

Before the system may be operated on live data, it first has to be trained 
through various training cycles using a set of pre-existing alarm data. This is data 
that has been already analysed by the fraud operators who have labelled each 

10 alarm accordingly as indicative of real fraud or not fraud. Turning first to Figure 1, 
the test alarms are received by the system at 10, and the corresponding Q for 
each alarm A, is then determined at 12. To assist in this determination, 
information from an external or internal database 14 may be used. If the 
customer is a direct customer of the telecommunications network owner, customer 

1 5 details may be looked up directly in the corresponding customer database. On the 
other hand, the customer may have connected into the network being monitored 
via another network (perhaps abroad) and the fraud operators may accordingly 
have no direct access to customer and billing details for that particular customer* 
In such a case, the customer is merely identified for the purposes of the system by 

20 a unique reference number; this could come from information provided by the 
owner of the foreign network or, in the absence of that, from a combination of the 
calling number and the called number. 

Once each alarm Ai has been associated with a particular customer Ci, the 
information is passed on to a statistical analyser module 1 5 which first groups the 

25 alarms by C, as indicated at 16. A typical grouping for the example being 
considered might be as follows: 



wo 97/37486 



PCT/GB97/00836 



Training Set: 
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Each cell in the table represents the number of times a particular alarm has 
been triggered for that particular customer. For example, customer Ci has 
triggered alarms Ai, A2 and A3 once each, and has triggered alarm A4 twice. The 
last column in the table, labelled X^, simply represents the total number of alarms 
of all types for customer 

The alarms in the training set are now re-grouped into the "N-type list- 
shown below. This is a table in which each row represents one of the possible 
groupings G of the alarms A^, as determined from the training set. Each column of 
the table represents the total number of alarms of all types, X,. Each customer Q 
appears exactly once in the table. 



N-type List: 



1 ^ 1 


5 


4 


3 


1 Ai A2 A3 A4 1 


Ci C5 Cs 


C3 C4 




1 A, A2 1 








1 A3 A4 


1 C2 C7 Cg 







1 5 It can be seen from the table that there are three customers who actuated 

a total of five alarms in all four alarm types, namely C,, Cg and Cg. 
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The information from the N-type list is passed to a pattern extractor 
module 1 9, which first analyses it, at 20. Input is provided from the training set 
22 and from an external database 24 which might include, for example, details of 
the billing and/or call histories of the customers being investigated. The analysis is 
5 carried out by asking skilled operators to check the training set, and to determine 
for each of the customers d whether that customer is in fact fraudulent or not. 
From the information in the external database, the fraud operators may be able to 
say with some certainty that particular customers are indeed acting fraudulently. 
For this particular example it will be assumed that customers d, C3, C5 and C9 are 

1 0 fraudulent; these are shown in bold type in the N-type list above. 

At step 26, alarm patterns are produced by considering individually each 
populated cell within the table. Taking first the top left cell, it will be apparent 
that two of the three customers in that cell are considered fraudulent, so it can be 
said that the chance of a customer falling into that cell being fraudulent is some 

15 67%, In the adjacent cell, containing C3 and C4, only one of the two customers 
has been flagged as fraudulent, so the ratio for that cell is 50%. Continuing with 
the other cells, one can produce an alarm pattern table as follows: 





Xi 


G 


1 


67% 


5 


A, A2 A3 A4 


Ci C5 Cg 


1 50% 


4 


Ai A2 A3 A4 


C3 C4 


I 33% 


5 


A3 A4 


C2 C7 C9 


1 


3 


Ai A2 





In the alarm pattern table, each populated cell in the N-type list has its 
20 own row, the rows being ordered by the value of F, the likelihood of a customer 
who appears in that row being fraudulent. 

In the above table, the group A, A2 A3 A4 appears twice, and the table is 
now refined so that each alarm group is represented by a single row. The 
combined likelihood for the first two rows can be computed using the formula: 
25 F = ZjCX^jFi^j/L^X^j 

where ^ = number of distinct Xj for this alarm group 
(here | = 2, since Xj = 4 and 5) 

Fij = the partial likelihoods of each row (here 67% and 50%). 
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This gives a combined likelihood for the first two rows of 

F = 15x0.67 + 4x0.50)7(5 + 4) = 59.4%. 
This, then, is the overall likelihood of fraud within the group A, A2 A3 A4. 
Each combined or individual likelihood F, may have associated with it a 
5 confidence value K, (not shown in the table above). This may be computed as the 
ratio of fraudulent customers in this group to the number of fraudulent customers 
in all groups detected in the current training set. 

After rebuilding the table and ordering by combined likelihood values, one 
may see from the Q column that customers C,, C5 and C3 are fraudulent, and that 
10 C4 and Cb are suspicious. The system may automatically keep track of the 
fraudulent and suspicious customers by storing them in appropriate databases, 
including a suspicious customer database 30 (Figure 1). 



The current table now reads as follows: 







Xi 


G 


Ci 


1 59.4% 


75% 


5,4 


Ai A2 A3 A4 


C-i C5 Cs C3 C4 


1 33% 


25% 


5 


A3 A4 


C2 C7 C9 


1 




3 


Ai A2 





15 Where the values are here assumed to have been calculated as shown based 
upon the rest of the data set. 

It will be noted that customers Cs and C4 appear in the top row, along 
with Ci and C5, indicating that they may be fraudulent as well. Customer Cs, on 
the other hand, appears in the second row with C2 and C7; so C2 and Cy have to 
20 be treated as suspicious. 

The system now learns the patterns set out in the alarm pattern table, at 
step 28 of Figure 1 . The learned patterns include a cut-off point above which e 
customers are to be deemed potentially fraudulent; here, the cut-off point may b^- 
for example 30%, so that groups A, A2 A3 A4 and A3 A4 may be considered as 
25 indicative of at least potential fraud. 

In an alternative embodiment, the value of F may be calculated in some 
more sophisticated way simply than taking the number of known fraudulent 
customers in a particular cell, and dividing by the total number of customers in that 
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cell. The figures might be weighted, for example, in dependence upon the cost of 
the potential fraud. This could be derived from the cost of all of the individual 
calls made by the customer which have produced alarms, or all of such calls that 
have taken place over a defined period such as the last seven days. Other criteria 
5 may no doubt occur to the skilled man. 

The next stage in the procedure is to refine and update the learned 
patterns through a new training cycle. A new training data set is provided at the 
input module 10 and after the same computations as previously described, new 
alarm types are produced and the old ones are updated, as described below, at 26. 
1 0 Let us assume now that during the second training cycle the group Ai A2 

A3 A4 consists of only one fraudulent customer, and that X, for that customer 
equals 3. Accordingly, using the same analysis as before, the value of Fj for that 
group will be 100%. Let us assume, further, that the corresponding confidence Kj 
equals 10%. 

15 The likelihood of fraud for this new alarm group is now updated at 26 

using the equation: 

'^update ~ '^oW^oW + K,^yj,Fnew 

For the present example, this gives: 

^update = 59.4xO.75 + 0.1x100 
20 = 54.5%. 

Once the patterns have been updated at 26, they are then learned at 28. 
Once the underlying patterns have been revised as necessary to provide optimal 
performance, the final alarm pattern is output and/or stored for use on live data. 

Turning now to Figure 2, we will describe how the system is run on real 
25 . alarm data (that is live, unlabelled alarms). The live data to be monitored arrives 
by way of the live alarms 210, against which are computed the corresponding 
customers Ci at step 212. As before, an external database 214 may be used as 
necessary. The alarms are grouped by Cj at 216, and N-type lists constructed at 
218. 

30 The final alarm pattern table is applied against the N-type list at 220, and 

any customer who appears in the top row of that list (or more generally, who 
appears in any of the uppermost rows in which the value F is greater than a 
defined threshold value) is output at 221 as a fraudulent customer. 



wo 97/37486 



PCT/GB97/00836 



10 

The fraudulent customers list 221 is considered by the fraud operators at 
222, and those customers who are considered to be truly fraudulent have their 
accounts inhibited at that stage. In deciding which customers are truly fraudulent, 
the fraud operators may have access to additional database information, as 
5 indicated at 224. 

The labelled list of true fraudulent customers is then sent back, as 
indicated in Figures 1 and 2, to the pattern extractor module 19 where the pattern 
likelihoods are adjusted accordingly, and new alarm groups are added as 
necessary. 

10 Then the whole process restarted on receipt of a new group of real alarm 

data at 210 for processing. The process shown in Figure 2 is continually 
reiterated, with the result that the grouped alarms, the N-type list and the alarm 
pattern table continually changes according to the customers currently involved 
and the particular alarms and alarm groups they have generated. The alarm 
15 pattern table may be shown on the fraud operator's screen, and will constantly be 
updated as the groupings and the customers change. As customer accounts are 
inhibited, customers in the uppermost rows which are now defined as fraudulent 
continually disappear, with others coming in all the time. 

The fraud operators are provided with a readily-comprehensible list of 
20 potentially fraudulent customers, (from the suspicious customers database 30), 
ordered according to the likelihood of fraud. It Is therefore relatively easy for the 
operators to inhibit accounts as necessary, either manually or automatically. A 
combination of both may be used, for example all customers having a value of F 
greater than 95% may automatically have their accounts inhibited, and all 
25 customers having a value F between 85% and 95% may be considered for further 
manual investigation. 

Some customers may of course not be customers of the 
telecommunications network which Is being monitored, in which case it may not 
be possible to inhibit their accounts. However, since each customer has a unique 
30 reference identifier the necessary information can be passed to the owners of 
the external network from which the call is emanating, suggesting that they might 
investigate this particular customer account. 
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Manual or automatic investigations may also be made as to the 
connections between the fraudulent customers, to check for evidence of organised 
crime. 

The threshold in F for determining whether a customer is fraudulent may 
5 be varied either manually or automatically as desired. Continually varying the cut- 
off points avoids the problem of fraudsters getting to know what the cut-off points 
are, and altering their behaviour accordingly. 

It will be understood of course that in a practical system there may be an 
extremely large number of alarm categories Aj, and a consequently large number of 
0 category groups G in the N-type list. There will also be a large number of 
customers, with the result that the statistical analysis involved in creating the 
alarm pattern table will be substantially more reliable than may have appeared from 
the simplistic example that has been used for the purposes of discussion. 

In one preferred embodiment, the system may keep a running total over 
5 time of the percentage of customers falling into each cell of the N-type list who 
either automatically or manually have their accounts inhibited as being used 
fraudulently- This information may be used to provide constantly updated values 
of F for each cell or alarm grouping, thereby allowing the order of entries in the 
alarm pattern table to change over time as the fraudster's behaviour varies. 
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12 
CLAIMS: 

1. A method of detecting the possible fraudulent use of a 
telecommunications network, the method comprising: 

5 <a) receiving alarms indicative of potentially fraudulent calls on the 

network, the alarms being divided into a plurality of alarm types; 

(b) associating a unique customer identifier with each alarm; 

(c) selecting a test class of customer identifiers such that each 
customer identifier in the test class is associated with a given grouping of alarm 

10 types; 

(d) identifying those customer identifiers within the test class that are 
associated with known fraudulent calls and deriving a measure therefrom indicative 
of fraud within the test class; and 

<e) determining that any customer identifier associated with further 
1 5 alarms is connected with fraudulent use of the network if it falls within the said 
test class and if the said measure for that class exceeds a given level. 

2. A method as claimed in Claim 1 in which the measure is a weighted or 
unweighted function of the number of: 

20 (A) customer identifiers within the test class that are associated with 

known fraudulent calls; and 

(B) the total number of customer identifiers in the test class. 

3. A method as claimed in Claim 2 in which the function is the ratio <A)/{B). 

25 

4. A method as claimed in any one of Claims 1 to 3 in which the measure is 
a function of the potential costs of the known fraudulent calls related to customer 
identifiers falling into the test class. 

30 5. . A method as claimed In any one of the preceding claims in which the said 
given level is user-defined. 
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6. A method as claimed in any one of the preceding claims in which the said 

given grouping of alarm types is at least partly defined by a unique combination of 
available alarm types or of any subset thereof. 

5 7. A method as claimed in any one of Claims 1 to 5 in which the said given 

grouping of alarm types is at least partly defined by: 

(a) a unique combination of available alarm types or of any subset 
thereof; and 

(b) the total number of alarms of all types for that combination. 

10 

8. A method as claimed in any one of the preceding claims including 

selecting a plurality of test classes associated with a corresponding plurality of 
given groupings of alarm types. 

15 9. A method as claimed in Claim 8 including selecting all possible groupings 

of alarm types from all unique combinations of available alarm types or of any 
subset thereof. 

10. A method as claimed in Claim 8 or Claim 9 including deriving an individual 
20 measure from each of the test classes, and sorting the test classes in order 

according to the values of the individual measures. 

11. A method as claimed in Claim 10 including displaying the test classes in 
the said order along with information on the customer identifiers falling into each 

25 test class. 

12. A method as claimed in any one of the preceding claims including the step 
of inhibiting a user account associated with a customer identifier determined as 
being connection with fraudulent use of the network. 

30 

13. A method as claimed in any one of the preceding claims including updating 
the measure in step (d) on the basis of an independent analysis as to whether the 



# 
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Zcustomer identifier determined at step (c) to be associated with fraud has been 
correctly so determined. 



14. A method as claimed in Claim 13 when dependent upon Claim 11 
5 including automatically updating the display of test classes. 

15. A method as claimed in any one of the preceding claims including 
maintaining a database of customer identifiers and, associated with the customer 
identifiers, the number of alarms generated by that customer broken down by 

10 alarm type. 

16. A method as claimed in Claim 15 in which the database further includes 
the total number of alarms of all types corresponding to each customer identifier. 

15 17. A system for detecting the possible fraudulent use of a 
telecommunications network, the system comprising; 

(a) means for receiving alarms indicative of potentially fraudulent calls 
on the network, the alarms being divided into a plurality of alarm types; 

(b) means for associating a unique customer identifier with each alarm; 
20 (c) means for selecting a test class of customer identifiers such that 

each customer identifier in the test class is associated with a given grouping of 
alarm types; 

(d) means for identifying those customer identifiers within the test class 
that are associated with known fraudulent calls and deriving a measure therefrom 

25 indicative of fraud within the test class; and 

(e) means for determining that any customer identifier associated with 
further alarms is connected with fraudulent use of the network if it falls within the 
said test class and if the said measure for that class exceeds a given level. 



30 
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